It should come as no surprise that the federal government takes cybersecurity compliance quite seriously. After all, federal agencies manage massive stores of data related to national and international security and public health, as well as the personal information of most residents of the country.
FISMA (the Federal Information Security Management Act) defines a set of security requirements intended to provide oversight for federal agencies on this front. No federal agency is exempt from the guidelines laid out in FISMA, so it’s important to gain a firm understanding of the regulations if you handle data for a federal agency or you provide services subject to FISMA compliance.
FISMA Compliance Overview
FISMA contains some of the most important regulations related to federal data protection standards. Signed into law as part of the E-Government Act of 2002, which was introduced to improve the management of electronic government services and processes, FISMA provides a comprehensive framework aimed at protecting sensitive government information. The act was updated in 2014.
Scope of FISMA
FISMA rules apply to all agencies within the U.S. government, as well as state agencies that administer federal programs. In particular, state agencies that administer the following federal programs are required to comply with FISMA regulations:
- Unemployment insurance
- Student loans
The act also applies to private businesses involved in contractual relationships with these state agencies. This is true whether the business provides services, supports a federal program or receives federal grant money. Private entities whose only connection to the federal government is being a grant recipient are often caught off guard when it comes to their awareness of FISMA requirements.
Benefits of FISMA Compliance
Government agencies at every level have been targeted more frequently by bad actors in recent years. The result has been several high-profile data breach incidents involving private data and financial information.
FISMA compliance can help organizations reduce risk and keep data safer, which in turn reduces the financial risks associated with data breach recovery. For non-government organizations, FISMA compliance enables them to become contractors to federal agencies.
Penalties for FISMA Compliance Violations
Failing to comply with FISMA can result in a host of unwelcome repercussions, including:
- Censure by Congress
- Reduction in federal funding
- Increased government oversight
- Damage to reputation
Related Guidelines and Standards
FISMA and OMB Guidelines
The Office of Management and Budget (OMB) released guidelines in April 2010 that require agencies to provide real-time system information to FISMA auditors to allow for continuous monitoring of FISMA-regulated information systems. The OMB guidelines include several requirements outlined in the Federal Information Processing Standards (FIPS) of the National Institute of Standards and Technology (NIST).
Two FIPS security standards are required by FISMA:
- FIPS 199 (Standards for Security Categorization of Federal Information and Information Systems) addresses the FISMA requirement to develop standards for categorizing information and information systems. FIPS 199 requires a “common framework and understanding” that promotes effective management and oversight of information security programs, and consistent reporting to the OMB and Congress regarding the adequacy and effectiveness of information security policies, procedures and practices.
- FIPS 200 (Minimum Security Requirements for Federal Information and Information Systems) establishes the “minimum levels of due diligence for information security” for federal agencies. The goal here is to establish a consistent, comparable and repeatable approach for “selecting and specifying security controls for information systems that meet minimum security requirements” laid out by the guidelines.
FISMA and NIST Standards
Several NIST standards correlate directly with FISMA compliance, including:
- NIST SP 800-39 — Titled “Guide for Applying the Risk Management Framework to Federal Information Systems,” this document provides guidance for implementing an integrated, organization-wide program for information security risk management in order to protect organizational assets, individuals, other organizations and the U.S. as a whole resulting from the operation and use of federal information systems. It outlines a “structured yet flexible approach” to risk management in an intentionally broad way. Specific directives aimed at implementing these programs are provided within supporting NIST standards and guidelines.
- NIST SP 800-37 — Titled “Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach,” this document offers a “disciplined, structured, flexible process for managing security and privacy risk.” This publication includes information about information security categorization, control selection, implementation, assessment, system and common control authorizations, and continuous monitoring.
- NIST SP 800-30 — This “Guide for Conducting Risk Assessments” provides details about assigning risk management categories, as well as determining appropriate courses of action in response to those risks. It provides a framework for carrying out the risk assessment process, including how to prepare for the assessment, conduct the assessment and communicate the results of the assessment.
- NIST SP 800-53 — Titled “Security and Privacy Controls for Federal Information Systems and Organizations,” this document catalogs security and privacy controls for all federal information systems except those related to national security. It outlines the steps of the Risk Management Framework related to security control selection in accordance with the security requirements in FIPS 200.
- NIST SP 800-53A — This “Guide for Assessing the Security Controls in Federal Information Systems and Organizations” lists guidelines for building “effective security assessment plans and privacy assessment plans.” It also provides procedures for assessing the effectiveness of security and privacy controls used in information systems and organizations that support federal agencies.
FISMA and FedRAMP
The Federal Risk and Authorization Management Program (FedRAMP) is similar to FISMA in that it provides standards for agencies regarding vulnerable federal data. However, FedRAMP focuses on cloud-based data and provides an avenue for agencies that need to validate cloud-computing services for FISMA compliance.
FedRAMP also provides guidance for managing risk and validating cloud services used by federal agencies. Given today’s increasing reliance on the cloud, many modern FISMA-compliance software solutions include features for compliance with FedRAMP.
The following seven FISMA requirements represent some of the most crucial elements of the act.
- Maintain an Information System Inventory
An information system inventory should include all systems or networks that can access federal agency data, including those not operated by (or under the control of) the agency itself, as well as the interfaces between systems. NIST SP 800-18, Revision 1 (Guide for Developing Security Plans for Federal Information Systems) provides guidance for determining how to group information systems and their boundaries.
- Categorize Information Systems
FISMA requires categorizing information systems and data based on the impact its compromise could have:
Low impact — A degradation in mission capability to an extent and duration that the organization is still able to perform its primary functions but with the effectiveness of the functions being noticeably reduced. Examples include:
- Minor damage to organizational assets
- Minor financial loss
- Minor harm to individuals
Moderate impact — Significant degradation in mission capability to an extent and duration that the organization is still able to perform its primary functions but with the effectiveness of the functions being significantly reduced. Examples include:
- Significant damage to organizational assets
- Significant financial loss
- Significant harm to individuals that does not involve loss of life or serious, life-threatening injuries
High impact — Severe degradation in or loss of mission capability to an extent and duration that the organization is not able to perform one or more of its primary functions. Examples include:
- Major damage to organizational assets
- Major financial loss
- Severe or catastrophic harm to individuals involving loss of life or serious life-threatening injuries
- Design and Maintain a System Security Plan
NIST SP 800-18 provides guidelines for security plan development and implementation, and setting up a review plan to periodically assess operation security.
- Conduct Risk Assessments
NIST SP 800-37 and NIST SP 800-30 provide information about conducting risk assessments in order to analyze current threats, anticipate new ones and choose security controls that will reduce risk to a more acceptable level.
- Utilize Appropriate Security Controls
FIPS 200 provides details about selecting baseline security controls and applying tailored guidance and supplemental control as needed based on risk assessment, and NIST SP 800-53 lists security controls for agencies to consider implementing. Security controls can be applied flexibly so that they align with the agency’s mission and operational environment, provided that the agency documents the selected controls in its system security plan.
- Conduct Continuous Monitoring
NIST SP 800-37 and SP 800-53A lay out the guidelines for continuous security system monitoring. Monitoring in this context includes the System Integrity (SI), Configuration Management (CM), Incident Response (IR) and Audit (AU) categories.
- Annual Review Requirement
To maintain FISMA compliance, agencies must conduct annual reviews of their information security programs. These reviews are conducted by inspectors general, chief information officers (CIOs) and other federal program officials. Once the reviews have been conducted, agencies report the results to the OMB, which prepares an official annual FISMA compliance report to Congress.
- Certification and Accreditation (C&A)
In order to provide required annual security reviews, agencies need to achieve FISMA Certification and Accreditation (C&A) through a process that includes four phases:
- Initiation and planning
- Continuous monitoring
The process requires developing and demonstrating an understanding of several key FISMA and NIST concepts, including:
- Identifying weaknesses
- Changing existing security practices
- Implementing new safeguards
Once certified, agencies start the process of implementing FISMA requirements toward the goal of achieving accreditation. C&A is not a one-time event; OMB requires periodic recertification and re-accreditation for FISMA-regulated agencies.
FISMA Compliance Best Practices
Follow these six best practices to help your organization stay FISMA-compliant:
- Gain a high-level view of the sensitive data you store.
- Run periodic risk assessments to identify, prioritize and remediate information security gaps.
- Maintain evidence of how you’re complying with FISMA.
- Evaluate and routinely test how well your security controls and policies work to protect your systems.
- Monitor for updates to FISMA.
- Conduct ongoing employee training to keep your team up to date on the latest FISMA requirements and cybersecurity threats.
- What is FISMA?
FISMA is a U.S. federal law that provides a comprehensive framework aimed at protecting sensitive government information.
- Who must comply with FISMA?
FISMA rules apply to all agencies within the federal government, as well as state agencies that administer federal programs. It also applies to private businesses involved in contractual relationships with these state agencies, including those that provide services, support a federal program or receive federal grant money.
- What is the relationship between NIST and FISMA?
NIST publishes several guides to help organizations comply with FISMA.
- What are the penalties for FISMA noncompliance?
Government agencies and related private companies can face several penalties for failing to stay compliant with FISMA, including:
- Being censured by Congress
- Reduction in federal funding
- Damage to reputation
- Increased government oversight
- How can an organization certify its FISMA compliance?
OMB lays out a multiphase process for certification and periodic recertification and re-accreditation for FISMA-regulated agencies.